CyberEye

By Patrick Marshall

The problem with PIV cards

Personal identification verification cards -- smartcards that contain an employee’s photo, biometrics, encryption keys and credentials -- are a great idea. They offer not only secure authentication but the ability to centrally manage that individual’s access to federal resources. Unfortunately, PIV cards have never quite lived up to their promise to control access to federal networks and physical locations.

Some of the problems have been technical. There were glitches using PIV card readers with Windows 7, for example. And there is always the challenge of keeping up with new technologies. It was only in 2015, for example, that the National Institute of Standards and Technology updated its specifications for the cards to allow them to work with smartphones.

But the biggest problems with PIV cards have been administrative. A 2017 Government Accountability Office report, for example, noted that agencies often fail to retrieve PIV cards from separated employees and contractors. And a February 2018 report by the Department of Homeland Security inspector general found that the department lacks effective protocols to ensure against no-longer-authorized contractors from using unretrieved PIV cards to access facilities and networks.

According to Dan Conrad, federal CTO for One Identity, a California-based vendor of identity access management solutions, PIV cards face another major challenge -- working with legacy programs.

“Anytime I authenticate with my PIV card, the validity of the certificate on the card is checked, so in theory [an agency] can revoke the certificate centrally,” Conrad said. The problem, he said, is that many applications still in use aren’t PIV compatible and, in some cases, the vendor may no longer be in business. “What the organizations are looking for is someone to go back and rewrite the authentication modules of this application so it can be rolled under the PIV module,” said Conrad. “That is almost impossible in a lot of situations, or extremely expensive.”

As a result, agencies using such applications create “exceptions lists” that allow individuals to access those programs without being under the PIV umbrella. Other options include abandoning incompatible legacy applications or acquiring a PIV-compatible single-sign-on solution. Which option is best will, of course, depend how critical the legacy software is to the agency’s mission.

One Identity and several other vendors offer workarounds.

“Our solution for that is a bridge solution that will take applications that require usernames and passwords, and we encrypt and walletize those usernames and passwords and inject them after authenticating with a PIV,” said Conrad. “Upon successful entrance of your PIN and certificate validation, we decrypt the password from the wallet and then inject the credentials. The user doesn’t even know what they are."

“A small organization may have only one or two applications that only a few users use,” noted Conrad. “They may be able to just go out and get a new [PIV-compatible] application that does the same thing.”

Another shortcoming of the current generation of PIV cards, Conrad said, is that many of the apps people use on smartphones also fall outside the PIV umbrella because they don’t accommodate derived credentials.